From 283fa151da254572d02d3ed7dd3269c2a146ef11 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 1 Oct 2024 06:36:39 +0000 Subject: [PATCH] import CS nginx-1.22.1-8.module_el9+1086+80da4ced --- SOURCES/0008-add-ssl-pass-phrase-dialog.patch | 100 ++++++---- ...HTTP-2-per-iteration-stream-handling.patch | 76 ++++++++ ...fer-ENGINE_finish-calls-to-a-cleanup.patch | 126 ++++++++++++ SOURCES/0011-Optimized-chain-link-usage.patch | 183 ++++++++++++++++++ SPECS/nginx.spec | 24 ++- 5 files changed, 472 insertions(+), 37 deletions(-) create mode 100644 SOURCES/0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch create mode 100644 SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch create mode 100644 SOURCES/0011-Optimized-chain-link-usage.patch diff --git a/SOURCES/0008-add-ssl-pass-phrase-dialog.patch b/SOURCES/0008-add-ssl-pass-phrase-dialog.patch index 6e5986b..bdb48eb 100644 --- a/SOURCES/0008-add-ssl-pass-phrase-dialog.patch +++ b/SOURCES/0008-add-ssl-pass-phrase-dialog.patch @@ -1,8 +1,29 @@ +From c0f75dac24544bdae1ccfccf3d6a05c1b9243d8a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Thu, 23 May 2024 14:09:05 +0200 +Subject: [PATCH] Add ssl-pass-phrase-dialog + +--- + contrib/vim/syntax/nginx.vim | 1 + + src/event/ngx_event_openssl.c | 133 ++++++++++++++++++++--- + src/event/ngx_event_openssl.h | 15 ++- + src/http/modules/ngx_http_grpc_module.c | 2 +- + src/http/modules/ngx_http_proxy_module.c | 2 +- + src/http/modules/ngx_http_ssl_module.c | 76 ++++++++++++- + src/http/modules/ngx_http_ssl_module.h | 2 + + src/http/modules/ngx_http_uwsgi_module.c | 2 +- + src/mail/ngx_mail_ssl_module.c | 68 +++++++++++- + src/mail/ngx_mail_ssl_module.h | 2 + + src/stream/ngx_stream_proxy_module.c | 2 +- + src/stream/ngx_stream_ssl_module.c | 62 ++++++++++- + src/stream/ngx_stream_ssl_module.h | 2 + + 13 files changed, 344 insertions(+), 25 deletions(-) + diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim -index 7d587fc..15b21e2 100644 +index 6828cd3..9df0a53 100644 --- a/contrib/vim/syntax/nginx.vim +++ b/contrib/vim/syntax/nginx.vim -@@ -617,6 +617,7 @@ syn keyword ngxDirective contained ssl_ocsp +@@ -624,6 +624,7 @@ syn keyword ngxDirective contained ssl_ocsp syn keyword ngxDirective contained ssl_ocsp_cache syn keyword ngxDirective contained ssl_ocsp_responder syn keyword ngxDirective contained ssl_password_file @@ -11,7 +32,7 @@ index 7d587fc..15b21e2 100644 syn keyword ngxDirective contained ssl_preread syn keyword ngxDirective contained ssl_protocols diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index 104e8da..8cf777e 100644 +index d6fe5bc..fb05ab9 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -9,9 +9,8 @@ @@ -36,7 +57,7 @@ index 104e8da..8cf777e 100644 static int ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata); static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); -@@ -88,6 +87,12 @@ static time_t ngx_ssl_parse_time( +@@ -87,6 +86,12 @@ static time_t ngx_ssl_parse_time( #endif ASN1_TIME *asn1time, ngx_log_t *log); @@ -49,7 +70,7 @@ index 104e8da..8cf777e 100644 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); static void ngx_openssl_exit(ngx_cycle_t *cycle); -@@ -398,7 +403,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) +@@ -404,7 +409,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, @@ -58,7 +79,7 @@ index 104e8da..8cf777e 100644 { ngx_str_t *cert, *key; ngx_uint_t i; -@@ -408,7 +413,7 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, +@@ -414,7 +419,7 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, for (i = 0; i < certs->nelts; i++) { @@ -67,7 +88,7 @@ index 104e8da..8cf777e 100644 != NGX_OK) { return NGX_ERROR; -@@ -421,12 +426,13 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, +@@ -427,12 +432,13 @@ ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, @@ -82,7 +103,7 @@ index 104e8da..8cf777e 100644 x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain); if (x509 == NULL) { -@@ -516,8 +522,19 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, +@@ -522,8 +528,23 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, } #endif @@ -94,7 +115,11 @@ index 104e8da..8cf777e 100644 + "X509_get_pubkey() failed"); + return NGX_ERROR; + } -+ dlg->cryptosystem = EVP_PKEY_get_base_id(pubkey); ++ ++ if (dlg) { ++ dlg->cryptosystem = EVP_PKEY_get_base_id(pubkey); ++ } ++ + EVP_PKEY_free(pubkey); + + pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords, dlg); @@ -104,7 +129,7 @@ index 104e8da..8cf777e 100644 if (err != NULL) { ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "cannot load certificate key \"%s\": %s", -@@ -587,7 +604,7 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, +@@ -593,7 +614,7 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, #endif @@ -113,7 +138,7 @@ index 104e8da..8cf777e 100644 if (pkey == NULL) { if (err != NULL) { ngx_ssl_error(NGX_LOG_ERR, c->log, 0, -@@ -700,10 +717,81 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, +@@ -771,10 +792,81 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, return x509; } @@ -197,7 +222,7 @@ index 104e8da..8cf777e 100644 { BIO *bio; EVP_PKEY *pkey; -@@ -791,11 +879,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, +@@ -870,11 +962,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, tries = 1; pwd = NULL; cb = NULL; @@ -226,7 +251,7 @@ index 104e8da..8cf777e 100644 break; } diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h -index 860ea26..41f4501 100644 +index eb3288b..b275a38 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -74,9 +74,19 @@ @@ -270,10 +295,10 @@ index 860ea26..41f4501 100644 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c -index dfe49c5..904263d 100644 +index 864fc4f..c1b5fb4 100644 --- a/src/http/modules/ngx_http_grpc_module.c +++ b/src/http/modules/ngx_http_grpc_module.c -@@ -4983,7 +4983,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf) +@@ -4925,7 +4925,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf) if (ngx_ssl_certificate(cf, glcf->upstream.ssl, &glcf->upstream.ssl_certificate->value, &glcf->upstream.ssl_certificate_key->value, @@ -283,10 +308,10 @@ index dfe49c5..904263d 100644 { return NGX_ERROR; diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c -index 9cc202c..2c938d7 100644 +index 7c4061c..e971396 100644 --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c -@@ -5032,7 +5032,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) +@@ -4974,7 +4974,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) if (ngx_ssl_certificate(cf, plcf->upstream.ssl, &plcf->upstream.ssl_certificate->value, &plcf->upstream.ssl_certificate_key->value, @@ -296,7 +321,7 @@ index 9cc202c..2c938d7 100644 { return NGX_ERROR; diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c -index 4c4a598..a147054 100644 +index e765a50..6af69d1 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -17,8 +17,9 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, @@ -361,7 +386,7 @@ index 4c4a598..a147054 100644 ngx_pool_cleanup_t *cln; -@@ -674,6 +689,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -672,6 +687,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); @@ -371,7 +396,7 @@ index 4c4a598..a147054 100644 conf->ssl.log = cf->log; if (conf->enable) { -@@ -736,6 +754,30 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -734,6 +752,30 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) cln->handler = ngx_ssl_cleanup_ctx; cln->data = &conf->ssl; @@ -402,7 +427,7 @@ index 4c4a598..a147054 100644 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, -@@ -786,7 +828,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -784,7 +826,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) /* configure certificates */ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, @@ -411,7 +436,7 @@ index 4c4a598..a147054 100644 != NGX_OK) { return NGX_CONF_ERROR; -@@ -1335,3 +1377,31 @@ ngx_http_ssl_init(ngx_conf_t *cf) +@@ -1333,3 +1375,31 @@ ngx_http_ssl_init(ngx_conf_t *cf) return NGX_OK; } @@ -457,10 +482,10 @@ index 7ab0f7e..2f83d75 100644 diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c -index e4f721b..61efa99 100644 +index d46741a..d728874 100644 --- a/src/http/modules/ngx_http_uwsgi_module.c +++ b/src/http/modules/ngx_http_uwsgi_module.c -@@ -2564,7 +2564,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf) +@@ -2461,7 +2461,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf) if (ngx_ssl_certificate(cf, uwcf->upstream.ssl, &uwcf->upstream.ssl_certificate->value, &uwcf->upstream.ssl_certificate_key->value, @@ -470,7 +495,7 @@ index e4f721b..61efa99 100644 { return NGX_ERROR; diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c -index 28737ac..728181d 100644 +index 63af775..b3cd38e 100644 --- a/src/mail/ngx_mail_ssl_module.c +++ b/src/mail/ngx_mail_ssl_module.c @@ -13,6 +13,7 @@ @@ -513,7 +538,7 @@ index 28737ac..728181d 100644 char *mode; ngx_pool_cleanup_t *cln; -@@ -388,6 +400,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -386,6 +398,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); @@ -522,7 +547,7 @@ index 28737ac..728181d 100644 conf->ssl.log = cf->log; -@@ -449,6 +463,29 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -447,6 +461,29 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) cln->handler = ngx_ssl_cleanup_ctx; cln->data = &conf->ssl; @@ -552,7 +577,7 @@ index 28737ac..728181d 100644 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_mail_ssl_alpn_select, NULL); #endif -@@ -461,7 +498,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -459,7 +496,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) } if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, @@ -561,7 +586,7 @@ index 28737ac..728181d 100644 != NGX_OK) { return NGX_CONF_ERROR; -@@ -745,3 +782,32 @@ ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) +@@ -743,3 +780,32 @@ ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) return NGX_CONF_OK; #endif } @@ -608,10 +633,10 @@ index a0a6113..3d87d50 100644 diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c -index ed275c0..1747aed 100644 +index 934e7d8..34d0195 100644 --- a/src/stream/ngx_stream_proxy_module.c +++ b/src/stream/ngx_stream_proxy_module.c -@@ -2305,7 +2305,7 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf) +@@ -2248,7 +2248,7 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf) if (ngx_ssl_certificate(cf, pscf->ssl, &pscf->ssl_certificate->value, &pscf->ssl_certificate_key->value, @@ -621,7 +646,7 @@ index ed275c0..1747aed 100644 { return NGX_ERROR; diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c -index 1ba1825..ba70547 100644 +index f922ac4..66b4b67 100644 --- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -17,6 +17,8 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, @@ -665,7 +690,7 @@ index 1ba1825..ba70547 100644 ngx_pool_cleanup_t *cln; -@@ -732,6 +745,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -730,6 +743,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL); @@ -674,7 +699,7 @@ index 1ba1825..ba70547 100644 conf->ssl.log = cf->log; -@@ -779,6 +794,23 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -777,6 +792,23 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) cln->handler = ngx_ssl_cleanup_ctx; cln->data = &conf->ssl; @@ -698,7 +723,7 @@ index 1ba1825..ba70547 100644 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, ngx_stream_ssl_servername); -@@ -823,7 +855,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) +@@ -821,7 +853,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) /* configure certificates */ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, @@ -707,7 +732,7 @@ index 1ba1825..ba70547 100644 != NGX_OK) { return NGX_CONF_ERROR; -@@ -1209,3 +1241,31 @@ ngx_stream_ssl_init(ngx_conf_t *cf) +@@ -1207,3 +1239,31 @@ ngx_stream_ssl_init(ngx_conf_t *cf) return NGX_OK; } @@ -752,3 +777,6 @@ index e7c825e..d80daa4 100644 } ngx_stream_ssl_conf_t; +-- +2.44.0 + diff --git a/SOURCES/0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch b/SOURCES/0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch new file mode 100644 index 0000000..a73a597 --- /dev/null +++ b/SOURCES/0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch @@ -0,0 +1,76 @@ +From b6aa9504cdfb6391d895dcbddc87b9260ea6968c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Wed, 11 Oct 2023 09:59:23 +0200 +Subject: [PATCH] CVE-2023-44487 - HTTP/2: per-iteration stream handling limit. + +To ensure that attempts to flood servers with many streams are detected +early, a limit of no more than 2 * max_concurrent_streams new streams per one +event loop iteration was introduced. This limit is applied even if +max_concurrent_streams is not yet reached - for example, if corresponding +streams are handled synchronously or reset. + +Further, refused streams are now limited to maximum of max_concurrent_streams +and 100, similarly to priority_limit initial value, providing some tolerance +to clients trying to open several streams at the connection start, yet +low tolerance to flooding attempts. +--- + src/http/v2/ngx_http_v2.c | 15 +++++++++++++++ + src/http/v2/ngx_http_v2.h | 2 ++ + 2 files changed, 17 insertions(+) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 3611a2e..291677a 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev) + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler"); + + h2c->blocked = 1; ++ h2c->new_streams = 0; + + if (c->close) { + c->close = 0; +@@ -1320,6 +1321,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + goto rst_stream; + } + ++ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many streams at once"); ++ ++ status = NGX_HTTP_V2_REFUSED_STREAM; ++ goto rst_stream; ++ } ++ + if (!h2c->settings_ack + && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) + && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW) +@@ -1385,6 +1394,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + + rst_stream: + ++ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many refused streams"); ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR); ++ } ++ + if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) { + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); + } +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 3492297..6a7aaa6 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -125,6 +125,8 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t new_streams; ++ ngx_uint_t refused_streams; + ngx_uint_t priority_limit; + + ngx_uint_t pushing; +-- +2.31.1 + diff --git a/SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch b/SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch new file mode 100644 index 0000000..030c34a --- /dev/null +++ b/SOURCES/0010-defer-ENGINE_finish-calls-to-a-cleanup.patch @@ -0,0 +1,126 @@ +From e0e6437b1f1c723a52ac26a7e700113753331ecd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Thu, 13 Jun 2024 17:44:28 +0200 +Subject: [PATCH] defer ENGINE_finish() calls to a cleanup + +--- + src/event/ngx_event_openssl.c | 51 +++++++++++++++++++++++++++-------- + 1 file changed, 40 insertions(+), 11 deletions(-) + +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index fb05ab9..3e06791 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -16,7 +16,7 @@ typedef struct { + ngx_uint_t engine; /* unsigned engine:1; */ + } ngx_openssl_conf_t; + +- ++static ngx_int_t ngx_ssl_engine_cleanup(void *data); + static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, + ngx_str_t *cert, STACK_OF(X509) **chain); + static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, +@@ -144,6 +144,15 @@ int ngx_ssl_certificate_name_index; + int ngx_ssl_stapling_index; + + ++static ngx_int_t ++ngx_ssl_engine_cleanup(void *data){ ++ ENGINE *e = data; ++ ++ ENGINE_finish(e); ++ ++ return NGX_OK; ++} ++ + ngx_int_t + ngx_ssl_init(ngx_log_t *log) + { +@@ -650,8 +659,9 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + + #ifndef OPENSSL_NO_ENGINE + +- u_char *p, *last; +- ENGINE *engine; ++ u_char *p, *last; ++ ENGINE *engine; ++ ngx_pool_cleanup_t *cln; + + p = cert->data + sizeof("engine:") - 1; + last = (u_char *) ngx_strchr(p, ':'); +@@ -676,6 +686,16 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + return NULL; + } + ++ cln = ngx_pool_cleanup_add(pool, 0); ++ if (cln == NULL) { ++ *err = "failed to add ENGINE cleanup"; ++ ENGINE_free(engine); ++ return NULL; ++ } ++ ++ cln->handler = ngx_ssl_engine_cleanup; ++ cln->data = engine; ++ + *last++ = ':'; + + struct { +@@ -689,7 +709,6 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, + return NULL; + } + +- ENGINE_finish(engine); + ENGINE_free(engine); + + /* set chain to null */ +@@ -868,11 +887,13 @@ ngx_ssl_pass_phrase_callback(char *buf, int bufsize, int rwflag, void *u) + static EVP_PKEY * + ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_array_t *passwords, ngx_ssl_ppdialog_conf_t *dlg) + { +- BIO *bio; +- EVP_PKEY *pkey; +- ngx_str_t *pwd; +- ngx_uint_t tries; +- pem_password_cb *cb; ++ BIO *bio; ++ EVP_PKEY *pkey; ++ ngx_str_t *pwd; ++ ngx_uint_t tries; ++ pem_password_cb *cb; ++ ngx_pool_cleanup_t *cln; ++ + + if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { + +@@ -904,18 +925,26 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, ngx_str_t *key, ngx_a + return NULL; + } + ++ cln = ngx_pool_cleanup_add(pool, 0); ++ if (cln == NULL) { ++ *err = "failed to add ENGINE cleanup"; ++ ENGINE_free(engine); ++ return NULL; ++ } ++ ++ cln->handler = ngx_ssl_engine_cleanup; ++ cln->data = engine; ++ + *last++ = ':'; + + pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); + + if (pkey == NULL) { + *err = "ENGINE_load_private_key() failed"; +- ENGINE_finish(engine); + ENGINE_free(engine); + return NULL; + } + +- ENGINE_finish(engine); + ENGINE_free(engine); + + return pkey; +-- +2.44.0 + diff --git a/SOURCES/0011-Optimized-chain-link-usage.patch b/SOURCES/0011-Optimized-chain-link-usage.patch new file mode 100644 index 0000000..afbd7aa --- /dev/null +++ b/SOURCES/0011-Optimized-chain-link-usage.patch @@ -0,0 +1,183 @@ +From f3bcc0bcfb6eda3f4874fe2531d546ba724c518c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Wed, 12 Jun 2024 12:49:28 +0200 +Subject: [PATCH] Optimized chain link usage + +Previously chain links could sometimes be dropped instead of being reused, +which could result in increased memory consumption during long requests. +--- + src/core/ngx_output_chain.c | 10 ++++++++-- + src/http/modules/ngx_http_grpc_module.c | 5 ++++- + .../modules/ngx_http_gunzip_filter_module.c | 18 ++++++++++++++---- + src/http/modules/ngx_http_gzip_filter_module.c | 10 +++++++--- + src/http/modules/ngx_http_ssi_filter_module.c | 8 ++++++-- + src/http/modules/ngx_http_sub_filter_module.c | 8 ++++++-- + 6 files changed, 45 insertions(+), 14 deletions(-) + +diff --git a/src/core/ngx_output_chain.c b/src/core/ngx_output_chain.c +index 5c3dbe8..4aa1b02 100644 +--- a/src/core/ngx_output_chain.c ++++ b/src/core/ngx_output_chain.c +@@ -121,7 +121,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in) + + ngx_debug_point(); + +- ctx->in = ctx->in->next; ++ cl = ctx->in; ++ ctx->in = cl->next; ++ ++ ngx_free_chain(ctx->pool, cl); + + continue; + } +@@ -207,7 +210,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in) + /* delete the completed buf from the ctx->in chain */ + + if (ngx_buf_size(ctx->in->buf) == 0) { +- ctx->in = ctx->in->next; ++ cl = ctx->in; ++ ctx->in = cl->next; ++ ++ ngx_free_chain(ctx->pool, cl); + } + + cl = ngx_alloc_chain_link(ctx->pool); +diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c +index 53bc547..9f13089 100644 +--- a/src/http/modules/ngx_http_grpc_module.c ++++ b/src/http/modules/ngx_http_grpc_module.c +@@ -1230,7 +1230,7 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in) + ngx_buf_t *b; + ngx_int_t rc; + ngx_uint_t next, last; +- ngx_chain_t *cl, *out, **ll; ++ ngx_chain_t *cl, *out, *ln, **ll; + ngx_http_upstream_t *u; + ngx_http_grpc_ctx_t *ctx; + ngx_http_grpc_frame_t *f; +@@ -1458,7 +1458,10 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in) + last = 1; + } + ++ ln = in; + in = in->next; ++ ++ ngx_free_chain(r->pool, ln); + } + + ctx->in = in; +diff --git a/src/http/modules/ngx_http_gunzip_filter_module.c b/src/http/modules/ngx_http_gunzip_filter_module.c +index c1341f5..5d170a1 100644 +--- a/src/http/modules/ngx_http_gunzip_filter_module.c ++++ b/src/http/modules/ngx_http_gunzip_filter_module.c +@@ -333,6 +333,8 @@ static ngx_int_t + ngx_http_gunzip_filter_add_data(ngx_http_request_t *r, + ngx_http_gunzip_ctx_t *ctx) + { ++ ngx_chain_t *cl; ++ + if (ctx->zstream.avail_in || ctx->flush != Z_NO_FLUSH || ctx->redo) { + return NGX_OK; + } +@@ -344,8 +346,11 @@ ngx_http_gunzip_filter_add_data(ngx_http_request_t *r, + return NGX_DECLINED; + } + +- ctx->in_buf = ctx->in->buf; +- ctx->in = ctx->in->next; ++ cl = ctx->in; ++ ctx->in_buf = cl->buf; ++ ctx->in = cl->next; ++ ++ ngx_free_chain(r->pool, cl); + + ctx->zstream.next_in = ctx->in_buf->pos; + ctx->zstream.avail_in = ctx->in_buf->last - ctx->in_buf->pos; +@@ -374,6 +379,7 @@ static ngx_int_t + ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r, + ngx_http_gunzip_ctx_t *ctx) + { ++ ngx_chain_t *cl; + ngx_http_gunzip_conf_t *conf; + + if (ctx->zstream.avail_out) { +@@ -383,8 +389,12 @@ ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r, + conf = ngx_http_get_module_loc_conf(r, ngx_http_gunzip_filter_module); + + if (ctx->free) { +- ctx->out_buf = ctx->free->buf; +- ctx->free = ctx->free->next; ++ ++ cl = ctx->free; ++ ctx->out_buf = cl->buf; ++ ctx->free = cl->next; ++ ++ ngx_free_chain(r->pool, cl); + + ctx->out_buf->flush = 0; + +diff --git a/src/http/modules/ngx_http_gzip_filter_module.c b/src/http/modules/ngx_http_gzip_filter_module.c +index b8c5ccc..1d17a6d 100644 +--- a/src/http/modules/ngx_http_gzip_filter_module.c ++++ b/src/http/modules/ngx_http_gzip_filter_module.c +@@ -978,10 +978,14 @@ static void + ngx_http_gzip_filter_free_copy_buf(ngx_http_request_t *r, + ngx_http_gzip_ctx_t *ctx) + { +- ngx_chain_t *cl; ++ ngx_chain_t *cl, *ln; ++ ++ for (cl = ctx->copied; cl; /* void */) { ++ ln = cl; ++ cl = cl->next; + +- for (cl = ctx->copied; cl; cl = cl->next) { +- ngx_pfree(r->pool, cl->buf->start); ++ ngx_pfree(r->pool, ln->buf->start); ++ ngx_free_chain(r->pool, ln); + } + + ctx->copied = NULL; +diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c +index 6737965..a55f6e5 100644 +--- a/src/http/modules/ngx_http_ssi_filter_module.c ++++ b/src/http/modules/ngx_http_ssi_filter_module.c +@@ -455,9 +455,13 @@ ngx_http_ssi_body_filter(ngx_http_request_t *r, ngx_chain_t *in) + while (ctx->in || ctx->buf) { + + if (ctx->buf == NULL) { +- ctx->buf = ctx->in->buf; +- ctx->in = ctx->in->next; ++ ++ cl = ctx->in; ++ ctx->buf = cl->buf; ++ ctx->in = cl->next; + ctx->pos = ctx->buf->pos; ++ ++ ngx_free_chain(r->pool, cl); + } + + if (ctx->state == ssi_start_state) { +diff --git a/src/http/modules/ngx_http_sub_filter_module.c b/src/http/modules/ngx_http_sub_filter_module.c +index 6d3de59..456bb27 100644 +--- a/src/http/modules/ngx_http_sub_filter_module.c ++++ b/src/http/modules/ngx_http_sub_filter_module.c +@@ -335,9 +335,13 @@ ngx_http_sub_body_filter(ngx_http_request_t *r, ngx_chain_t *in) + while (ctx->in || ctx->buf) { + + if (ctx->buf == NULL) { +- ctx->buf = ctx->in->buf; +- ctx->in = ctx->in->next; ++ ++ cl = ctx->in; ++ ctx->buf = cl->buf; ++ ctx->in = cl->next; + ctx->pos = ctx->buf->pos; ++ ++ ngx_free_chain(r->pool, cl); + } + + if (ctx->buf->flush || ctx->buf->recycled) { +-- +2.44.0 + diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index a3bd8c8..ad8360f 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -56,7 +56,7 @@ Name: nginx Epoch: 1 Version: 1.22.1 -Release: 4%{?dist} +Release: 8%{?dist} Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -111,6 +111,15 @@ Patch5: 0007-Enable-TLSv1.3-by-default.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2170808 Patch6: 0008-add-ssl-pass-phrase-dialog.patch +# security fix - https://issues.redhat.com/browse/RHEL-12737 +Patch7: 0009-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch + +# downstream patch - https://issues.redhat.com/browse/RHEL-40621 +Patch8: 0010-defer-ENGINE_finish-calls-to-a-cleanup.patch + +# upstream patch - https://issues.redhat.com/browse/RHEL-40075 +Patch9: 0011-Optimized-chain-link-usage.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -623,6 +632,19 @@ fi %changelog +* Tue Jul 16 2024 Luboš Uhliarik - 1:1.22.1-8 +- Resolves: RHEL-49349 - nginx worker processes memory leak + +* Thu Jun 13 2024 Luboš Uhliarik - 1:1.22.1-7 +- Resolves: RHEL-40621 - openssl 3.2 ENGINE regression in nginx + +* Thu May 23 2024 Luboš Uhliarik - 1:1.22.1-6 +- Resolves: RHEL-32650 - Nginx seg faults when proxy_ssl_certificate is set + +* Mon Oct 16 2023 Luboš Uhliarik - 1:1.22.1-5 +- Resolves: RHEL-12737 - nginx:1.22/nginx: HTTP/2: Multiple HTTP/2 enabled web + servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) + * Mon Aug 07 2023 Luboš Uhliarik - 1:1.22.1-4 - Resolves: #2170808 - Running nginx with systemctl and entering ssl private key's pass phrase